A C C O U N T I N G

internal

&

A U D I T I N G

controls

Improving Intemal Control

Over Hnancial Reporting
COSO's Guidance Not Just for Public Companies Anymore
By Jeffrey E. Michelman and Bobby E. Waldrup

Since the application of COSO by SEC registrants that were

heti the Committee of Sponsoring Organizations
(COSO) released its Internal ControlIntegrated accelerated filers In 2004, smaller publicly traded organizations

Framework (ICFR) in 1992, the event went largely

unnoticed. The importance of this framework changed
dramatically with the passage of the Sarbanes-Oxley Act of
2002 (SOX). Because SOX required all covered entities to base
their assessment of intemal controt on a recognized framework,
COSO was readily embraced. Unfortunately, smaller public and
nonpublic companies have found the 1992 framework complicated to apply and to understand.

30

have continued to argue that complying with SOX section 404

was an unfair burden. As a means for improving both the understandability and the applicability of the ICFR, COSO released
Internal Control over Financial ReportingGuidance for Smaller
Public Companies (ICFR-SPC). Although the true value and utility of the ICFR-SPC for compliance with SOX section 404 will
become clearer over the next several years, the authors believe
that the value of the ICFR-SPC goes far beyond publicly traded

APRIL 2008 / THE CPA JOURNAL

companies. In particular, ICFR-SPC offers

great utility to small businesses, but only
if it is properly understood and applied.
ICfT^-SPC offers a significant opportunity for small CPA firms to offer valueadded services to existing and potential
clients. This importance is illustrated in
a 2005 survey by the AICPA's Private
Companies Practice Section (PCPS).
which found that the number-three challenge for small CPA firms was "marketing/practice growth." Small businesses
often lack interTial controls because the
costs are perceived to outweigh the benefits. Yet these same organizations are
often burdened by excessive regulatory
costs-per-employee and higher-than-average fraud costs and occurrence of fraud,
TTiese pressures on small business are listed in Exhibit I. Many will no doubt interpret this as more evidence of the regulatory burdens placed on small businesses,
and will say that small businesses should
continue to advocate for continued exemption from compliance with laws like SOX.
The authors, however, believe that CPAs
have failed to recognize the opportunity
to provide added-value internal control
services, because small businesses either
do not understand the value of inlemal
controls or are unwilling to pay for the
evaluation and. ultimately, the application
of internal controls. As a result, small
businesses are often the organizations
most susceptible to fraud.
The inability of CPAs to sell these services to small businesses has often been
due to a lack of usable tools to evaluate,
apply, and communicate both the importance of intemal control and suggestions
for its application. (The Sidebar presents
a case study of an opportunity missed and
the related fraud that ensued J
Unfortunately, small CPA firms often see
the need for their services as solely stemming from compliance with a direct
demand by an extemal party (i.e., the IRS
or a lender). In contrast, the authors believe
that the ICFR-SPC offers a powerful tool
fcH" practitioners to provide value-added services that go beyond complying with external demands and pass a cost-benefit test
Moreover, CPAs not involved in the assurance function can seize the opportunity to
act as business advisor.
The original five components of intemal
control in the 1992 ICFR (control environ-

APRIL 2008 / THE CPA JOURNAL

ment, risk assessment, control activities,

information and communication, and monitoring) offered more insight into how
large organizations operate than how small
businesses do. In contrast, ICFR-SPC is a
framework that ofFers a clear explanation of
the five components of intemal control as
well as bow they ^ply to small business-

es, both for-profit and nonprofit. Because

the focus of the ICFR is on financial risk,
the .secondary benefits to nonassurance
clients is not always readily apparent.
The importance of intemal control to
many small businesses is characterized by
10 factors that the authors believe are particularly important for businesses to

EXHIBIT 1
Costs of Being Small

In a 2005 study on the impact of regulatory costs on small finns:

Average cost per employee for complying with all regulatory

requirements for companies with less 20 employees

S7,647

Average cost per employee for complying with all regulatory

requirements for companies with more than 500 employees

$5^82

In a 2006 study of occupational fraud in the United States:

Median loss of organizations with less then ITO employees with a

fraud occurrence

$190,000

Median loss of all organizations with a fraud occurrence

$159,000

Sources: W. Mark Crain, The Impact of Regulatory Costs on Small Rrms, SBA Office of
Small Business Advocacy, www.sba.gov/advo/researcli/rs264totpdf,
2005; Association of
Certified Fraud Examiners, 2006 Report to the Nation on Occupational Fraud and Abuse,
vwwv.acfe. com/fraud/report asp.

EXHIBIT 2
Top 10 Characteristics of Small Businesses
Likely to Benefit from Applying COSO SPG

1. Large number of cash transactions.

Complicated accounting issues, yet relatively simple accounting systems.

Large number of clients/customers with relatively small transaction amounts.

Professional owner of the organization who is very focused on service deliv-

4. ery but lacks any formal training in accounting or business.

An office manager who is professionally trained in some field other than

5. business.
6. Lack of attention to background screening or employment policies.
7. A "black box" information system with no useful management reports.
8. An organizational structure that complicates the supervision process.
9. Complicated regulatory reporting issues.
No audit

31

enhance their system of intemal control

(see Exhibit 2). While diese 10 characteristics are not necessarily formal intemal
control threats, they can act as red flags
to a CPA.
In contrast lo the original ICFR. the
ICFR-SPC links the components in a feedback loop, stressing the importance of internal control as a dynamic prtxress. .Mthough
die parnjTiount importance of intemal control for public companies is to ensure the
integrity of the financial reporting process.
the authors think that the three secondary
factors of intemal control are what make

them most \aluable to small businesses:

m Reliable and timely information supporting management's decision-making on
matters such as product pricing, capital
investment, and resource deployment:
Consistent mechanisms for processing
transitions across an organization, enhancing the speed at which transactions are initiated and settled, the reliabilit\ of related
recordkeeping. and the ongoing integrity
of data; and
Ability and confidence to accurately
communicate business performance with
business partners and customers.

The importance of these secondary

characteristics of internal cfflitrol can offer
untapped value to small businesses.
COSO believes thai the 20 principles of
ICFR-SPC apply to all organizations, with
size or complexity affecting only the
scope of implementation. In particular, of
the 20 basic principles of intemal control,
the authors believe that CPAs should
ftKus on the importance of 11 of these
with businesses of all sizes (highlighted
in Exhibit 3). The following discussion
focuses on professional service organizations in particular.

CASE STUDY: PROGRESSIVE STEP REHABILITATION SERVICES

rogressive Step Rehabilitation Services (PSRSJ, in

Jacksonville, Ra., allowed an opportunity for fraud to
be committed. The tone of the management philosophy
and its operating style did not enforce an effective control
environment Rather, management believed in the employees
and trusted them accordingly. This attitude, combined with a
single employee's delegated responsibility of handling all
checks and cash that came in through the mail and the
reception desk, left the company at risk.

Although PSRS had security policies established, management and the employees ignored several important ones.
When asked for a copy of company policy, it was unavailable. When reperforming the totals as part of a forensic
investigation, bank deposits were often missing signatures,
and at times the signatures approved miscalculated totals or
incomplete deposit slips. These results suggest that some
policies were merely perfunctory and clearly not enforced.
A single employee had the opportunity to set checks aside
because she was the only one who picked up the mail. She
never relinquished the mailbox key, even when repeatedly
instructed to do so. Days after giving birth, the employee was
back at the office, picking up the mail and the insurance
copayments from the physical therapists' offices. Even when
she worked only part-time, she always held on to these two
tasks. Management did not segregate these duties, and there
were no safeguards in place to monitor her activities.
The method of defalcation was a traditional lapping
scheme. Checks were set aside by the employee after the
mail was opened at the office and were used later to substitute for cash on the bank deposit slip. The bank deposit was
altered to include the checks set aside for the same amount
as the cash collected. The copy of the deposit slip at the
office was not the same as the one used at the bank. The
manager would check to see If the totals deposited and the

32

amount on the bank deposit slip matched, btrt no closer

inspection occurred, A single employee had control ofthe
money entering the billing office from beginning to end. It
was later determined that the employee had a history of writing bad checks and had committed a similar lapping scheme
in another physical therapy practice approximately 10 years
earlier.
When asked by the authors about their CPA's role in the
business, management noted that the CPA was involved in
compiling the monthly financial statements and annual tax
returns. When asked if the CPA had been involved in choosing and setting up the accounting and billing system, management responded that the CPA was concerned only that
the system would produce the records electronically in order
to streamline the process of the month-end reporting. When
the authors asked if the CPA was involved in determining the
appropriateness of the system selection or evaluating the
internal control system ofthis practice with annual billings of
more than $800,000, management responded, "No, but we
never asked our CPA to do this," In response, the authors
suggested that if one of them entered their practice complaining of a sore hand, but also was unable to walk, he
would hope that he would questioned about the reason
for fhe limp.
When management later learned that PSRS's insurance
coverage was inadequate to cover the loss, they further stated that they had never discussed insurance coverage with
their CPA, either. There is, of course, no guarantee that the
CPA, if applying fhe principles in COSO's ICFR, could have
prevented the over $60,000 fraud, but the authors hope that it
would have reduced the amount Moreover, fhe CPA's
involvement in fhe business should have represented an
important mitigating control whose benefits outweighed the
cost

APRIL 2008 / THE CPA JOURNAL

Control Environment

Of the seven principles that relate to

the control environment, four are pervasive across organizations of all types
and sizes. Because small nonpublic companies will often have no board of
directors or in-house financial reporting
unit, this discussion will not address
them. Furthennore. the critical aspects of
management philosophy and operating
style are sufficiently important for small
business to be necessary parts of the
first principle, integrity and ethical values. Integrity and ethical values are the
ba.sis by which the control model is built.
Although CPAs cannot instantiate these
traits inlo a client, they can help a business communicate these values to
employees on a regular basis, and also
remind them of these tenets if a client has
"lost their way." It is particularly important for a CPA in these situations to link
their code of professional ethics with ethical business practices.

^Minutes
FOCUSED
LEGAL
COUNSEL

Organizational structure is often difficult

for small business owners to understand.
particularly if their professional ti-aining is
technical. In such cases. CPAs can help a
business define the administrative relationships in the organization. A logical adjunct
to this prcxess is helping a company define
the authority and responsibilities of employees, especially the segregation of duties necessary under the circumstances. In particular, human resources is one area in which
many companies falter significantly.
Because many paifessionals (e.g.. attonieys
and physicians) do not take courses in management, they have inadequate knowledge
of hiring, training, superv ision, performance
evaJuation, and compensation. In this regard.
CPAs need to know when to provide advice
and when to seek the help of human
resources professionals.
Risk Assessment
Medical and legal professionals often
understand and advise their clients on risk

assessment, yet they often fail to adequately transfer these concepts to their
own businesses. Although the risk of noncompliajice with GAAP is an important
concept, many small businesses use cashbasis accounting, and therefore should
focus on fraud risk rather than on financial reporting objectives and risks. In
this respect, a CPA has a twofold role:
to understand how the fraud triangle
opportunity, pressure, and rationalizationaffects both the business and how
the business must pay attention to the
dynamic nature of these factors in its
employees. Moreover, a CPA should
ensure that a client understands whatever fraud risks are unique to the industry,
the location, or the broader economy.
Control Activities
Because CPAs in this context are not
providing attest services, they should be
particularly involved in helping clients
identify control activities that facilitate

we are a law firm, we form and maintain entities.

that's all
California
incorporation

delaware
ncorporation

new york
incorporation

nort-iawyer
incorporation
online service

Determine Name Availability and Reserve Name

Prepare and File Articles/Certificate of Formation

All Secretary ol Slate Filing Fees

y/

Custom Bylaws

t/'

^^

Custom Organizational Minutes, authorizing the election of

officers and directors, estat)|jshment ol bank accounts,
issuance ol stock, and other matters

t/

*^

Preparation and Issuance of Share Certificates

^f

Statement of Informatim and Filing Fees

n/a

n/a

Preparation ol Z5102(f) Certllicale and Filing Fees*

n/a

(I/a

Prepare IRS Form SS-4 and Obtain Tax Identification No.

i/

Prepare and Fiie IRS Form 2553 (NV Slate CT-S}

to make " S " Election

y/

Ancillary Documents, including Promissory Notes, Medical

Expense Reimbursement Plan, Employmerrt Agreement

t /

Resident Agent Services lor one year

^^

Follow up ID ensure all documents are properly signed,

filed, fees are paid, and lormation is properly completed

^^

Experienced Counsel handling every lormafion and

available to consuti on all aspects ol the process

\^

Corporate Kit, Seal, and duplicate Set of Documents on CO

i/

^f

Accountant Copy of Al! Documents Dedveret! on CD-ROM

^^

\^

eM in Lies Entity Manage menl System [wth online

document library, real-time monitoring ot coriwrate
deadlines) via secure web-based interlace

\^

v/

.d3'S>it,.

.**53k.

1^250.

^,250

$1,2^;

Automatic Enrollment In Annual Minutes System

Cost

-For cflpilalizalion up to 5100,000

^/

y^

^^
1/

^/

Admitted to practice law in California and New York.

APRIL 2008 / THE CPA JOURNAL

www.eMmutes.coni

_:^

Toll-Free 877 UNGERLAW

33

integration with risk assessment. For

example. CPAs can advise a small business on the choice of a service bureau to
provide payroll services when ihe fraudrelated risk of processing payroll in-house
is significant. A CPA can reviewer the
service provider's Statement on Auditing
Standards
(SAS) 70,
Service
Organizations, report, and advise the
client appropriately. In small businesses,
selection and development of control
activities shouid focus on mitigating any
risks of fraud that have been identified.
In particular, small businesses are often

EXHIBIT 3
Roadmap for Applying Principles in
Achieving Effecfive Infernal Control in
Small Businesses
Control Environment
Integrity and ethical values
Board of directors
Management's philosophy and
operating style

unwilling or unable to implement certain types of segregation of duties.

CPAs should initiate a discus.sion ahout
additional outsourcing activities or
increased owner involvement.
Because many small businesses do not
rely on information technology (IT)
controls. CPAs should advise clients of
the need to integrate control activities and
document them as part of its policies and
procedures. Perhaps one of the greatest
opportunities for CPAs is to help clients
develop and maintain policies and procedures that are appropriate for the
organi/ation and are reevaluated as the
organization changes. For example, as
organizations move from paper to digital format for both financial and nonfinanciai data, policies that deal with record
maintenance are crucial. Although IT is
important, the intemal control application
will generally be less complex, and the
available off-the-shelf software is generally satisfactory. In the authors" opinion,
IT is not a significant issue for most small
businesses.

Organizationai structure

Information and Communication

u Financial reporting competencies

Authority and responsibility
m Human resources

In a vibrant, growing organization,

the owners often become increasingly
removed from day to-day administration.
This sense of disconnection requires the
regular communication of internal control information in the form of easily
understood metrics that have been
developed jointly by the client and the
CPA. For example, has the mix between
eash and credit sales increased the organization's risk of theft?

Risk Assessment
Financial reporting objectives
Financial reporting risks
Fraud risk
Control Activities
Integration with risk assessment
Selection and development of
control activities
m Policies and procedures
Information fechnology
Information and Communication
Financial reporfing information
Internal control information
m Internal communication
u Exfernal communication
Monitoring
Ongoing and separate evaluations
Reporting deficiencies
Note: Adapted from Internal Control over
Rnancial ReportingGuidance for
Smaller Public Companies, COSO, 2006.

34

An organization's intemal communication stnicture is often overlooked, although

it is critical to the success of the intemal
control model. Organizations should
encourage empkiyees to communicate with
management or owners when they believe
that issues of efficiency and effectiveness
or, more importiint. fraud^have arisen.
In this context, the effectiveness of the
intemal control model is limited by the
engagement of the employees involved.
Because non-publidy held organizations
often do not prepare extemal reports, they
often ignore the importance of information
and communication altogether. A critical
built-in control of small organizations is
involvement of the owner, but as professionals focus on providing a service they

become increasingly removed from the

administrative and control processes.
Monitoring

Small-business professionals often overlook monitoring because internal control

deficiencies do not generally have to be
reported to a third party. Nevertheless.
ongoing and separate evaluations arc
quite important for small businesses. The
authors believe that a CPA should meet
with clients at least once a year to discuss
chiingcs in both the intemal and extemal
environments. Although professionals
understand their service delivery process,
they often lose touch with administrative
processes tliat are critical for their busjness's financial health and viability.
Unfortunately, too many organizations
develop internal controls but never reexamine them as the organization changes.
The area of monitoring is a particularly
robust opportunity for CPAs to provide
value-added services to clients.
Opportainitv for Adding Value

CPAs without public company clients

may tend to dismiss the ICFR-SPC as
in'elevant. The authors encourage them
to reconsider this anitude and work diligently with new or existing clients to
communicate the value of these services. CPAs in small practices who do
not see the benefits of this framework
miss an opponunity to expand their practices. Intemal control is not just about
complying with SOX section 404, Rather,
intemal controls, when applied appropriately, help businesses of all sizes thrive
and enhance competitiveness.

Jeffrey E. Michelman, PhD, CPA,

CMA, is an associaie professor of accounting, and Bobby E. Waldrtip, PhD, CPA,
is an associate dean and associate professor of accounting, both in the department
of accounting atui finance of the Coggin
College of Business of the University of
North Florida, Jacksonville, Fta.

Note: The authors would like to timnk

the following MBA students for their help
in completing this project: Vernon Bird,
Susanna Ho. Patrick Lynch, Carolyn
Thunmin. and Marie Wolford.

APRIL 2008/THE CPA JOURNAL